Securing Windows XP Professional in a Peer-to-Peer Networking Environment

Updated : July 21, 2006

On This Page

Introduction
Before You Begin
Securing the File System
Windows Firewall
Updating Security Patches
Related Information

Introduction

Peer-to-peer networking can increase productivity by making it easy to share information and resources on your network. However, the ability of computer users to control access to their computers can leave them vulnerable to information theft, loss, or inadvertent sharing of files. Therefore, in addition to enforcing a company computing policy you should make sure you and your employees understand the basics of Windows peer-to-peer networking and security.

With the threat of malicious code—such as worms, viruses, Trojan horses, and spyware—and hackers, it is critical to take immediate action to lock down desktop and portable computers. This document explains how to implement security measures for a small or medium-sized business environment where peer-to-peer networking is used. These recommendations help ensure that your computers running Microsoft® Windows® XP Professional with Service Pack 2 (SP2) are more secure, while ensuring that users can continue to be efficient and productive on their computers.

Objective of This Document

After you familiarize yourself with the information in this document, you should be able to increase the security of a peer-to-peer workgroup.

Before You Begin

As with any security recommendations, this guidance strives to find the right balance between enhanced security and usability. The recommendations provided in this document will work successfully for Windows XP Professional SP2 deployments in a wide variety of environments. However, before implementing these recommendations you should note that this document does not address the wide variety of needs and configurations that may be required in a large organization. In addition, the guidance may not fully address the specific security needs of some organizations.

Meeting the Service Pack Requirement

The recommendations in this document apply only to computers running Windows XP Professional with SP2 that are members of a workgroup, not a domain. If SP2 is not installed on a particular computer or if you do not know whether it is installed, you can go to the Microsoft Update page on the Microsoft Web site at https://windowsupdate.microsoft.com, and have your computer scanned for available updates. If SP2 shows up as an available update, install it before starting the procedures in this document.

Note   Installing SP2 requires a computer restart.

Administrative Requirements

You must be logged on as an administrator or a member of the Administrators group to complete the following procedures. If your computer is connected to a network, network policy settings might also prevent you from completing these procedures.

Securing the File System

A file system determines the way that directories and files are organized on a computer. There are ways to protect your file system from unauthorized access, alteration or deletion. This section provides step-by-step instructions for completing the following tasks, which will help you secure the file system:

  • Converting file systems to NTFS

  • Using antivirus software

  • Using Windows Defender (Beta 2)

  • Protecting file shares

  • Securing shared folders

  • Disabling unnecessary services

  • Disabling or deleting unnecessary accounts

Converting Your File Systems to NTFS

During the Windows XP setup process, computers can be configured to use either the FAT32 or NTFS file system.

FAT32 is an older technology that previous versions of Windows use. The NTFS file system is faster and more secure than FAT32 and many other, older file systems. For optimal performance of the operating system, use NTFS to protect all of the file system partitions on your computer. Use the following two procedures to first verify the type of file system on your computer, and then, if needed, convert the file system to NTFS.

Important   You should consider the following limitations before you convert a FAT partition to NTFS:

  • The conversion is a one-way process. After you convert a partition to NTFS, you cannot convert the partition back to FAT. To restore the partition as a FAT partition, the partition would have to be reformatted as FAT, which erases all data from the partition. Data would then have to be restored from backup.

  • Removing Windows XP to revert to Windows 98 or to Windows Millennium Edition (Me) is not an option after you convert any drive on the computer to NTFS.

  • Convert.exe requires that a certain amount of free space be present on the drive to convert the file system. For additional information about the amount of free space that is required for a conversion, see the Microsoft Knowledge Base article
    Free Space Required to Convert FAT to NTFS at https://support.microsoft.com/kb/156560.

To check the file system type on your computer

  1. Click Start, and then click My Computer.

  2. Right-click the drive letter you want to check, and then click Properties.

  3. The file system type should be NTFS as shown in the following screen shot. If it is not, you can use the Convert.exe utility to convert from FAT16 or FAT32 to NTFS.

    XPP2P01.GIF

Repeat this procedure for all partitions located on hard disks on the computer. Even if the file system was configured as FAT32 when the operating system was installed, you can easily convert it to NTFS to provide additional security.

To convert the file system to NTFS, take note of the name of the disk, otherwise known as the volume label (Drive C in the preceding figure). Then complete the following procedure, which will convert your file system to NTFS. Converting your file system to NTFS provides your computer with a higher level of security.

To convert the file system to NTFS

  1. Click Start, Run, type cmd, and then click OK.

  2. At the command prompt, type the following, where <drive_letter> is the drive you want to convert, and then press ENTER:

    convert <drive_letter> : /fs:ntfs

  3. You will be prompted to enter the current volume label for the drive. Enter the volume label that was identified earlier, and then press ENTER.

  4. When the conversion is complete, type exit and then press ENTER to close the command prompt.

    Note   If you are attempting to convert the drive where the operating system is installed, you may be prompted to schedule the conversion to occur the next time the computer is restarted. If this occurs, type y and then press ENTER to restart the computer.

Using Antivirus Software

Computer viruses are programs that are loaded on to your computer without your knowledge or approval. Viruses and other forms of malicious software have been around for years. Today's viruses can replicate themselves and use the Internet and e-mail applications to spread across the world in less than an hour.

An antivirus software program will help protect your computer against many known viruses, worms, Trojan horses, and other malicious code. Antivirus software continually scans your computer for viruses and helps detect and remove them. Installing antivirus software only solves part of the problem—keeping the antivirus signature files up-to-date is critical to maintaining a secure desktop or portable computer.

Many new computers come with antivirus software already installed. However, antivirus software requires a subscription to stay up-to-date. If you don't have a current subscription for these updates, your computer is likely to be vulnerable to new threats.

User education regarding safe e-mail practices is another critical step in preventing virus attacks. Users should not open e-mail messages or take action on e-mail attachments unless they are expecting the file. Ensure that all e-mail attachments are scanned with antivirus software before they are executed.

Microsoft offers Windows Live OneCare, an automatically self-updating PC care service that runs quietly in the background. It helps provide persistent protection against viruses, hackers, and other threats, and helps keep your PC tuned up and your important documents backed up. For more details, see Windows Live OneCare at www.windowsonecare.com/.

For more information about software vendors that provide antivirus software that is compatible with Windows XP, see the List of antivirus software vendors page on the Microsoft Web site at https://support.microsoft.com/kb/49500.

Using Microsoft Defender

Windows Defender (Beta2) is a security technology that helps protect Windows users from spyware and other potentially unwanted software. Known spyware on your PC can be detected and removed, which helps reduce negative effects caused by spyware, including slow PC performance, annoying pop-up ads, unwanted changes to Internet settings, and unauthorized use of your private information. Continuous protection improves Internet browsing safety by guarding more than 50 ways spyware can enter your PC. Participants in the worldwide SpyNet™ community play a key role in determining which suspicious programs are classified as spyware. Microsoft researchers quickly develop methods to counteract these threats, and updates are automatically downloaded to your PC so you stay up-to-date.

You can download Windows Defender from www.microsoft.com/athome/security/spyware/software/default.mspx. The current version is a Beta 2 version. The file name is WindowsDefender.msi and is about 5.5MB in size. (The file name and size may change after the full release.)

Protecting File Shares

Windows XP Professional file shares are a way of sharing files on a local hard drive with users on other Windows–based systems. An entire directory or folder can be given a share name and permissions to that file share can be assigned to users or groups of users. These file shares function the same whether a workstation is a member of a domain or a workgroup. In both configurations a share can be created to allow other users from other workstations to access a directory on a local hard drive. A Windows XP Professional workstation user can assign permission to these shares to local accounts and groups in both configurations, but can only assign access to Active Directory® directory service accounts and groups if the workstation is a member of Active Directory.

By default, shares are created with Everyone having full control. These permissions must be modified to allow only those who need access to the share. In addition, user accounts and groups of user accounts can be limited to what they can do on a file share. They can be limited to read-only access or they can be assigned permissions to create, change, and even delete files.

File sharing is intended for use on a home or business network behind a firewall, such as Windows Firewall (provided with Windows XP SP2). If you are connected to the Internet, and are not operating behind a firewall, remember that any file shares you create might be accessible to any user on the Internet.

Securing Shared Folders

Windows peer-to-peer networking allows you to share the contents of your file system with other computers on your network. The following procedure assumes that you have already shared one or more folders in your file system. By changing some of the default file system settings, you can restrict unauthorized access to your shares.

  • Every user that requires access to the share from their computer also needs a user account on the workstation with the share. This requirement is a limitation of a peer-to-peer workgroup network configuration. It is wise to keep the number of computers that have shared directories to a minimum. If you have shares on all workstations, you have to have user accounts on all workstations, which can quickly become a complex configuration to support.

  • You can set permissions only on drives that are formatted to use the NTFS file system.

  • In the following steps you will remove the Everyone special group that provides anonymous access. Then you will assign each local user account Read or Change permissions to the shared folder.

    • Read gives a user account enough permissions to list the files, open the files, and copy the files from the share to another location.

    • Change gives a user account the ability to list, add, modify, and delete files.

    You have to select both Change and Read to assign Change permissions. Limit the number of users to whom you assign Change permissions. It is not advisable to assign other user accounts Full Control to the share. Full Control gives users the same permissions as Change, but also the ability to take ownership of files/directories and change permissions.

To secure a shared folder

  1. Right-click a folder that has been previously shared, and then select Sharing and Security.

  2. On the Sharing tab, click Permissions. A screen similar to the following will display.

    XPP2P02.GIF

  3. Select the Everyone group, and then click Remove.

  4. Click Add to select which users can access the folder.

  5. In the Select Users , or Groups dialog box, click Object Types.

  6. Clear the Built-in security principals and Groups check boxes, and then click OK.

  7. Click Advanced.

  8. Click Find Now.

  9. Click to highlight the users you want to be allowed to access the folder. After the users are selected, click OK.

  10. Now each user in the permissions list needs to be given the correct type of access. Double-click a user, and then clear the Allow check box next to Full Control. Then choose whether you want the user to have Change and Read or just Read access.

  11. Click OK.

  12. Click OK again to close the Folder Permissions dialog box.

    Note   If the check boxes on the Permissions dialog box are not available, the permissions are inherited from the parent folder.

Disabling Unnecessary Services

By disabling unnecessary services you can reduce the chances of a known or unknown vulnerability being exploited. Use Add or Remove Programs in Control Panel to disable services.

For a list of services and their settings, see the Default settings for services page on the Microsoft Windows XP Professional Documentation Web site at www.microsoft.com/resources/documentation/windows/xp/all/proddocs/
en-us/sys_srv_default_settings.mspx?mfr=true.

Disabling or Deleting Unnecessary User Accounts

Disable or delete any user accounts that you do not require. By disabling or deleting unnecessary accounts you can reduce the chances of unauthorized access to your computer.

To disable an account

  1. Click Start, and then click Control Panel.

  2. Double-click User Accounts.

  3. Click the Advanced tab and then click the Advanced button.

  4. Click the Users branch.

  5. Double-click a user account to display the properties dialog box.

  6. Select the Account is disabled checkbox.

Note   A disabled account will still exist, but the user is not permitted to log on. It appears in the Users details pane, but the icon has an X in it.

To delete an account

  1. Perform steps 1 through 4 in the previous procedure.

  2. Instead of double-clicking the account, right-click it and select Delete.

    • Before you delete user accounts, disable them first. After you are certain that disabling the account has not caused a problem, you can safely delete it.

    • A deleted user account cannot be restored.

    • The built-in Administrator and Guest accounts cannot be deleted.

Securing User Accounts

By using passwords and configuring account lockout, you can reduce the chances of unauthorized access to your computer.

Using Passwords

It is important that all user accounts on every workstation have a password. Leaving passwords blank allows people to access computers as if they were someone else.

  • Do not use the Guest account on workstations. It should be disabled.

  • Every user should have their own user account. User accounts and passwords should not be shared.

Two concepts are commonly confused with regard to passwords. A user account can become locked out, which is typically caused by trying to log on with an incorrect password too many times. The account just needs to be unlocked—the password does need to be reset unless the user has forgotten what the password was. A good example, and probably the most common, is when someone gets locked out because they had the CAPS LOCK key on when they were typing their password.

A password reset provides the user account with a new password, usually a temporary password. The temporary password can then be provided to the user so they can log on. It is best to set such passwords to expire the first time they are used, in case the user forgets to change it after logging on. Forcing the user to log on and immediately create a new password ensures that only the user knows their password.

To unlock a locked user account

  1. Click Start, and then click Control Panel.

  2. Double-click User Accounts.

  3. Click the Advanced tab and then click the Advanced button.

  4. Click the Users branch.

  5. Find the affected user account and double-click it.

  6. Clear the Account is locked out checkbox and then click OK.

To set or reset a password for an existing user account

  1. Perform steps 1 through 5 from the previous procedure.

  2. Place a checkmark in the User must change password at next logon option. Then click OK.

  3. Right-click the account in question and click Set Password. You will be prompted with a warning message. Make note of the possible impact before proceeding.

  4. If you clicked the Proceed button, enter the temporary password in both password fields.

  5. Click OK and communicate the temporary password to the user.

Windows Firewall

Windows Firewall is a host-based firewall solution that is included as part of Windows XP Professional SP2 and is highly configurable. It is enabled by default and helps protect against network attacks. Windows Live OneCare also monitors Windows Firewall, giving you a single console to check the overall security status of your PC.

Windows Firewall is not intended to replace the functionality of a network firewall. Windows Firewall enables Windows networking ports so that peer-to-peer workgroups can communicate and share resources. A network firewall needs to be in place to protect the network while Windows Firewall protects each workstation for which it is installed and enabled. A number of manufacturers have affordable network firewalls designed for small to medium-sized networks.

To verify that Windows Firewall has not been disabled

  1. Click Start, and then click Control Panel.

  2. Double-click the Windows Firewall icon.

  3. Ensure that On (recommended) is selected.

Updating Security Patches

A good way to keep up-to-date on security patches is to subscribe to Microsoft Security bulletins which are sent via e-mail. You can sign up to receive the security bulletins on the Microsoft Security Web site at www.microsoft.com/security/default.mspx. In addition to staying informed through bulletins, there are a number of technologies that can help automate security patching.

Automatic Update

The Automatic Update feature in Windows XP can automatically detect and download the latest security patches from Microsoft. It can be configured to automatically download fixes in the background and then prompt the user to install them after the download is complete.

To configure your computer for automatic updates

  1. Click Start, and then click Control Panel.

  2. Double-click the Automatic Updates icon.

  3. Configure all your Windows XP workstations to Automatic. Note that you can configure how often and what time of day these updates will occur.

  4. Click OK.

Note   Microsoft also issues security bulletins through its Security Notification Service. These bulletins are issued for any Microsoft product that is found to have a security issue.

For more information about securing Windows XP, see the following:

For more information about related topics on securing Windows XP, see the following:

Download

Get the Securing Windows XP Professional in a Peer-to-Peer Networking Environment